Originally identified by QuoIntelligence, APT 28 has been distributing Zebrocy malware to NATO members using NATO course themed lures. This campaign ran on August 5th, and arrived on the system as a jpg file with a zip file appended to the end of it, to fool email threat scanners that look at the first few bytes of file attachments into mis-identifying the attachment as a simple JPEG image. The file was then given the extension “.zipx”, allowing WinRAR to open the zip file and decompress it, effectively ignoring the JPEG image at the start of the file. Dropped by the zip file are two malware files, “16 October 2020.exe” and “16 October 2020.xls”. The EXE file used a PDF icon, which could make it particularly convincing if extensions are hidden. Additionally, the xls file is corrupted, but contains unconfirmed data about the military mission “African Union Mission for Somalia”.
One of the techniques used by APT 28 in this campaign is a dependence on users not being able to see the suspicious “.exe” appended to what appears to be a .pdf file, so Binary Defense recommends enabling the visibility of file extensions for all users, so that users can easily see any suspicious extensions. It is important to test email threat scanners under different conditions to verify that they can detect anomalous files, such as ZIP file contents appended to other file types. Additionally, as the malware beacons every minute, Binary Defense recommends for the use of an 24/7 EDR and SOC solution to detect and stop threats, which could be an internally staffed SOC or a security provider such as Binary Defense’s Security Operations Task Force.